amavis and DDOS attacks

Amavis is running on port 127.0.0.1, this port cant be reached from outside, so it cant be attacked with a dos attack from a external server. If you would bind amavis to the server IP instead of localhost, then everyone would be able to use amavisd to send emails trough your server and to attack amavisd.

 

If its not true what I say, then you know it better and there is no further explanation required

 

Email can not be passed directly directly from a registered email user.

I guess you dont really understand whats happening and therefor claim that someone is doing something with your amavis just because you see amavis headers in the email (which are in all emails of your server btw). Here some basics on how the mail system works:

Postfix receives a email, then forwards it to amavis and amavis pases it back to postfix for either local or external delivery.

Now I try to guess whats your problem is, someone cracked one of your clients email accounts and sends spam over it. This happens quite regular these days and is not related to your server setup at all, there are several windows tojans out there that grep the passwords of user accounts from the mail programs (Otlook, thunderbird, etc.) on infected windows desktops and hand them over to botnets which misuse the provider servers (your server) then to send spam.

To stop that, change the password of the mail account, delete the spam messages from the mailqueue and inform your client that he shall scan his desktop with a antivirus software and that he shall not enter the new password until his system is clean.

 

Thats the IP address of your server, not the gateway.

 

There was nothing after "sasl_username="? Or did you remove it or was it maybe in the next line of the log?

 

This is important as the email address that is shown there is the user that has been authenticated correctly to send this email. The message you posted is not an error btw, its a success message. Postfix reported that this user has been authenticated correctly by using the correct password and send a email.

So if this mail was spam, then you should change the password of this account and inform the user that owns the account to check hos computer for viruses and trojans before he enters the new password again in his mail client.

 

If you use a courier mailserver and this address is currently sending, then you should also restart saslauthd to ensure that it reads the new login details from mysql immediately.

 

The command is:

/etc/init.d/saslauthd restart

 

Ok, then you most likely use dovecot and not courier. In this case, you can restart dovecot.

 

Messages are send on port 25. Ports 587 and 465 are additional ports to deliver emails from the mail client to postfix.